Bug Reports - Page 30 - Burp Suite User Forum

Content Type incorrectly stated

The response states that the content type is application/font-woff2. However, it actually appears to contain unrecognized content. If the URL path can be manipulated to end with ".html", the following browsers may interpret...

In the proxy history and logger history, if you click on the picture burp will freeze

In the proxy history and logger history, if you click on the picture, Burp will freeze even though it is only 8kb, but the 1.4mb js file will not freeze. I guess it is because the picture cannot be correctly processed into a...

Repeater: Can't switch protocol from HTTPS to HTTP: "HTTP/2 is currently only supported over TLS"

Repeater won't allow to switch protocol from HTTPS to HTTP ("Configure target details" from upper left pencil icon -> uncheck "HTTPS") when the HTTP request is HTTP/2. It will show an error on the bottom: "HTTP/2 is...

Resource Pools Settings not Saved in Project Settings File

Summary: The resource pools under Settings->Project->Tasks are not saved in Project Settings, despite being identified as a project settings area. Use Case: I am attempting to save a project file and share it with...

IP of targets in the logger resolve/change dynamically

With Burp Pro (v2022.12.6) the target IP can be shown in the included Logger function. If the IP of the target changes (e.g. By setting a different IP in the settings, network, connections, hostname resolution overrides)...

burp not connecting to internet

all requests in burp i am getting timed out . --------------------------------------------------------------------------------------------------------- SYSTEM...

Mark as complete not showing up, in firefox or chromium.

Hi, I want to mark all the learning materials from SQL Injection Path as complete. But the checkbox is not present in the "Track your progress" section, either on firefox or chromium. Is this on my side ? Thanks !

iOS 13 + Burp SSL Certs Not Able to be Fully Trusted

I've followed the appropriate steps to fully trust the burp cert, but as of iOS 13 this does not work and HTTPS requests fail. Looking at iOS 13 release notes, I found this: https://support.apple.com/en-us/HT210176 -- I...

Target page only keeps the record of the last API request if the API endpoint is the same and the REST method is not the same.

I was trying to record the API for an application. I observed that the Burp Target page only keeps the record of the last API request if the API endpoint is the same and the REST method is not the same. For example, we...

Lab: Cache key injection - expert lab allowing a simple solution

Hello guys, The hint for this lab is: "Solving this lab requires an understanding of several other web vulnerabilities. If you're still having trouble solving it after several hours, we recommend completing all other...

Lab: Exploiting HTTP request smuggling to perform web cache poisoning - broken?

Hi, the above lab cannot be solved (using the solution, the community solution or 3rd party solutions anyway). The community solution is outdated now, but the comments on the official YT page are also saying they are...

Burpsuite Professional fails to handle Blazor SignalR WebSocket traffic

Hello, During my work, i've stumbled across the web application project which uses the Blazor technology. Blazor is .NET framework that uses SignalR library. This leads to use of WebSocket protocol communication in every...

An incorrect example in the "Exploiting HTTP request smuggling" section on the Web Security Academy.

In one of the "Revealing front-end request rewriting" examples, the Content-Length is wrong. POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 130 Transfer-Encoding: chunked 0 POST /login...

Collaborator reports multiple interactions instead of one

During an assessment it was noticed that if the payload (request to the Collaborator server) includes more than one Collaborator URL, Burp Collaborator reports one connection (single HTTP request) as multiple based on the...

SSRF LABS

Hello, in the ssrf lab the lab Blind SSRF with Shellshock exploitation is repeated. Regards

NET::ERR_CERT_AUTHORITY_INVALID Help

can't validate a challenge even tho my exploit works

lab name : Performing CSRF exploits over GraphQL

BChecks Cannot insert payload into body

this is okay : "given any insertion point then" That does not work : "given body insertion point then" my body is...

Burp Suite Enterprise Agent - Error with Unattended Install using varfile

I'm trying to install the Burp Suite Enterprise Scanning agent on Ubuntu. I'm getting errors when running the below: ``` $ sudo sh burpsuite_enterprise_linux_v2023_6_1.sh -q -varfile response.varfile Unpacking JRE...

ERR_TUNNEL_CONNECTION_FAILED when I launch Chromium from Burp Professional

I've started to get this issue more and more... seems to not happen after a fresh restart. I open Chromium and try and go to my lab and get 'ERR_TUNNEL_CONNECTION_FAILED'... If I get that, I cannot surf to any sites (...